Google has issued security updates for its Chrome browser versions for Mac, Linux, and Windows to address a zero-day vulnerability said to have been exploited in the real-world attacks.
The flaw, tracked as CVE-2023-3079, is a type confusion issue within the V8 engine in Google Chrome. The vulnerability can be used by a remote hacker to execute arbitrary code on the target system via specially crafted web page.
Google withheld technical details on the bug, as well as information about how and when the vulnerability has been exploited.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” the internet giant noted.
At the beginning of June, Google announced it tripled payouts for Chrome sandbox escape chain exploits as part of the Chrome Vulnerability Rewards Program, set to run until December 1, 2023.
“The full chain exploit must result in a Chrome browser sandbox escape, with a demonstration of attacker control / code execution outside of the sandbox. The exploit scenario must be fully remote and the exploit able to be used by a remote attacker,” Google explained.
Full chain exploit could result in a total reward of over $165,000 -$180,000 for the first full chain exploit and over $110,000 - $120,000 for subsequent full chain exploits.